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(57) ABSTRACT 

An e-mail firewall (105) applies policies lo e-mail messages 
(204) between a first site and a plurality of second sites in 
accordance with a plurality of administrator selectable poli- 
cies (216). The firewall comprises a simple mail transfer 
protocol (SMTP) relay (202) for causing the c-mail mes- 
sages (204) to be transmitted between the first site and 
selected ones of the second sites. A plurality of policy 
managers (216) enforce administrator selectable policies. 
The policies, such as encryption and decryption policies, 
comprise at least a first source/destination policy (218), at 
least a first content policy (220) and at least a first virus 
policy (224). The policies are characterized by a plurality of 
administrator selectable criteria (310), a plurality of admin- 
istrator selectable exceptions (312) to the criteria and a 
plurality of administrator selectable actions (314, 316, 322) 
associated with the criteria and exceptions. Tlie policy 
managers comprise an access manager (218) for restricting 
transmission of e-maQ messages (204) between the first site 
and the second sites in accordance with the source/ 
destination policy (218). The policy managers (216) further 
comprise a content manager (220) for restricting transmis- 
sion of e-mail messages (204) between the first site and the 
second sites in accordance with the content policy (220), and 
a virus manager (224) for restriction transmission of e-mail 
messages (204) between the first site and the second sites in 
accordance with the viriis policy (224). 

19 Claims, 9 Drawing SbeeU 
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E MAIL FIREWALL WITH STORED KEY 
ENCRYPTION/DECRYPTION 

RELATED APPUCARONS 

This application claims priority to U.S. Provisional Patent 
Application 60/053,668 filed on Jul. 24, 1997. 

BACKGROUND OF THE INVEIWON 

1. Technical Field 

This application pertains generally to the field of com- 
puter security and more ^ecifically to security for electronic 
mail systems. 

2. Background Art 

The widespread use of electronic mail (e-mail) and group- 
ware applications coupled with the growth and ubiquity of 
the Internet have opened new avenues for business level 
communications and electronic commerce. Organizations 
are increasingly relying on e-mail for the transfer of critical 
files such as purchase orders, sales forecasts, financial 
information and contracts both within the organization and 
increasingly with other organizations via the Internet. In this 
setting, these files are now tangible information assets that 
must be protected. 

A number of conventional security measures exist to 
insure the confidentiality and integrity of modern data 
communications. For example, traditional firewalls prevent 
network access by unauthorized users. Secure sockets tech- 
nology allows for data to be passed securely over the World 
Wide Web (WWW). E-mail, however, which is by far the 
most prominent application over the Internet, still remains 
problematic, from a security standpoint, for most organiza- 
tions. Many traditional firewalls simply limit access to 
information protected by the firewall but do not contain the 
capability to limit transfer of information, into or out of an 
organization, by way of e-mail. This can lead to inadvertent 
or deliberate disclosure of confidential information fi'om 
e-mail originating within an organization and introduction of 
viruses from e-mail entering an organization. 

One solution to protecting confidentiality of e-mail mes- 
sages is by encrypting such messages. Further security is 
available by way of digital signatures, which provide for 
authentication of e-mail messages. Encryption and authen- 
tication are both supported in the S/MIME (Secure/ 
Multipurpose Internet Mail Extensions) messaging protocol 
defined in documents generated by the Internet Engineering 
Task Force (IETF) entitled "S/MIME Message Specifica- 
tion" (1997) and "S/MIME Certificate Handling"(1997). 
Individual users can encrypt/decrypt and authenticate e-mail 
messages using commercially available software. However, 
the use of software to perform such tasks is not always 
simple and therefore can detract from the inherent ease of 
use of e-mail as a means of communication. Moreover, an 
organization wishing to use such software must rely on 
individual users to encrypt all necessary messages without 
means of any centralized control. In addition, many con- 
ventional firewalls contain no capability to conu-ol the 
content or format of certain messages that enter or exit an 
organization. For example, many conventional firewalls 
contain no capability to ensure that e-mail meeting certain 
criteria such as content or source and/or destination address 
or domains, is encrypted. In addition, many conventional 
firewalls contain no capability to control unwanted messages 
entering an organization such as unsolicited e-mail adver- 
tising. 

There is accordingly a need for an e-mail firewall that 
provides improved centralized control over e-mail messages 
exiting and entering an organization. 
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SUMMARY OF THE INVENTION 

In a principal aspect, the present invention provides an 
e-mail firewall (105) for screening e-mail messages (204) 
^ originating in, or entering into a computer network (101, 
103). Embodiments employing the principles of the present 
invention advantageously take the form of an e-mail control 
system (105) that controls c-mail messages (204) transmit- 
ted from and received by a computing site. The c-mail 
control system (105) includes a message encryptor (526) 
which encrypts, in accordance with at least a first stored 
encryption key (528), a first designated type of message 
(204) transmitted from the computing site. A message 
decryptor (552) decrypts, in accordance with at least a 
second stored encryption key (528), a second designated 
type of message (204) received by the computing site. A 
filter (216) monitors messages (204), after decryption by the 
decryptor (552) and before encryption by the encryptor 
(526), in accordance with changeable filter information 

A significant advantage of such embodiments is increased 
centralized control of e-mail policies by an organization. All 
e-mail messages entering into or originating within an 
organization can be encrypted or decrypted and filtered in 

25 accordance with policies imposed by the organization. Indi- 
vidual users of desktop computers within the organization 
therefore need not be concerned with ensuring that they 
comply with e-mail policies of the organization. E-mail 
messages can be monitored for certain content, or for certain 

3Q sources or destinations. 

Advantageously, embodiments employing the principles 
of the present invention operate transparently to individual 
users within an organization. For example such individual 
users need not be concerned with complying with encryption 

3S policies of the organization. E-mail messages containing 
certain content, or originating from, or being transmitted to 
specified addresses or domains, can be automatically 
encrypted and/or filtered. For example, if an organization 
(e.g. Company A) which fi-equently exchanges e-mail with 

40 another organization (e.g. Company B) determines that all 
e-mail to Company B should be encrypted for security 
purposes, then an e-mail firewall in Company A as 
described above, can be configured to recognize the domain 
name of Company B and to ^ore an encryption key. 

45 Thereafter, all e-maQ messages from Company A to Com- 
pany B will be encrypted by the above described e-mail 
firewall without requiring any additional action by indi- 
vidual users. If Company B has installed an e-mail firewall 
employing the above described principles than that e-mail 

50 firewall can be configured to decrypt messages from Com- 
pany A. Individual recipients in Company B of e-mail from 
Company A therefore need not take any additional action to 
decrypt e-mail from Company A. All e-mail messages from 
Company A to Company B can therefore be securely 

55 exchanged with no intervention from users at Company A or 
Company B. Of course, the e-mail firewall of Company B 
can be configured to allow similar transmission of e-mail 
messages from Company B to Cbmpany A. 
In addition, other policies can be enforced with respect to 

60 transmission of messages between Company A and B. For 
example, inadvertent (or even deliberate) disclosure of cer- 
tain information between Companies A and B can be 
reduced by configuring the above described filter of the 
e-mail firewall in question with rules to recognize and 

55 prevent transmission of e-mail messages containing certain 
terms or phrases. The e-mail firewall may also be configured 
with exceptions to such rules. For example, e-mail fi^om or 
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to certain users may be exempted from such rules. Also, puter. In an exemplary embodiment, the computer executes 

actions taken by the e-mail firewall after a message is the Windows NT operating system available from Microsoft 

prevented from being transmitted are changeable. For Corp., Redmond, Wash. Although e-mail firewall 105 is 

example, the message in question may be returned to the shown in FIG. 1 as operating on e-mail messages between 

sender with an explanatory message. Alternatively, or in 5 *n internal site and an external site, the e-mail firewall 105 

addition, the message may be stored for viewing by an exchange messages between two 

administrator, or the messages may be deleted. Multiple internal sites for computer networks with SMTP compliant 

encryption keys, each associated with one or more domains messagmg backbones. 

or individual addresses, may be stored in e-mail firewalls 2 of the drawings illustrates in block diagram form 

employing the aforesaid principles to allow secure commn- lo functional compoiients of e-mail firewalls 105.1 

nications with multiple domains and/or individual users. 1052. In FIG. 2, a Simple Mail Transfer Protocol 

-mese and other advantages may be better understood by ^^^l '^*f ^ ,^^1 P^^^f ™^ , ' 

reference to the following detailed description. convenuonal Internet relay host. Anex^unpk of an Iniemei 

relay host is the sendmail program. The SMTP relay module 

BRIEF DESCRIPTION OF THE DRAWINGS 15 transmits and receives e-mail messages such as shown 

at 204 to and from an internal site 210 and external sites 212. 

HG. 1 of the drawings is a block diagram showing a E-mail message 204 takes the form of a conventional e-mail 

plurality of e-mail networks which are coupled by way of the message which contains a plurality of user specified infor- 

Internet and which employ an e-mail firewall employing the mation fields, such as source field 205 specifying an e-mail 

principles of the present invention. ^ address for the source of the message 204, a destination field 

FIG. 2 of the drawings is a block diagram of a preferred 206 specifying one or more destination e-mail address(es) 

embodiment of an e-mail firewall. for the message 204, a object field 207 specifying a subject 

FIGS. 3 and 4 are block diagrams illustrating further message 204, a body field 208 specifying the body of 

details of operation of the e-mail firewall of FIG. 2. the message 204 containing textual and/or graphics data, and 

RGS. 5(fl), 5{b) and 5(c) arc block diagrams iUustrating 25 attachinent field 209 specifying one or more files to be 

alternative secure c-mail communication mechanisms. transmitted with the message 204. Other user specified fields 

t-i^o ^/ . j^yiLx ^ . M. . . . mclude, but are not hmited to, priority of the message, 

RGS. 6(«;and6(£.) are flowcharts dlustratmg operation of identify of the sending agem and the dale and lime of the 

a preferred embodiment of an e-mail firewall. message 

FIG. 7 is a block diagram showing further deuils of a 3^ E-mail message 204 may be encoded in accordance with 

portion of FIGS. 6(a) and 6(6). one of a plurality of encoding formats as explained in frirther 

DETAILED DESCRIPTION OF THE ^^'^^ ''^^K "'^"^^ f*!^ preferably takes a 

PREFERRED EMBODIMENTS conventional form of a software module which receives and 

transmits e-mail messages in accordance with the Simple 

In FIG. 1 of the drawings, e-mail networks 101 and 102 35 Mail Transfer Protocol as specified by Internet RFC 821. 

are coupled to e-mail network 103 by way of a Wide Area The SMTP protocol is not critical and in other embodiments, 

Network (WAN) 104 such as the Internet. Disposed between the SMTP relay module may be replaced with a module that 

the Internet 104 and e-mail network 110 and 103 are an receives and/or transmits messages in other formats such as 

access firewall 106 and an e-mail firewall 105. E-mail the File Transfer Protocol (FTP) or the Hyper-Text Transfer 

network 102 is coupled to Internet 104 only by access 40 Protocol (HTTP). 

firewall 106.1. E-mail networks 101, 102 and 103 may each The SMTP relay module 202 can preferably be configured 

take a conventional form. For example, e-mail networks to use Domain Name System (DNS) to determine routing to 

101-103 may take the form of a Local Area Network (LAN) message recipients or alternatively can relay messages to an 

or a plurality of LANs which support one or more conven- administrator specified SMTP host. If DNS is selected, a 

tional e-mail messaging protocols. Access firewalls 106 may 45 defauh SMTP host can still be specified to allow a message 

also take a conventional form. Access firewalls 106 operate to be forwarded even if DNS service is not available. The 

to limit access to files stored within a computer network, routing option can be overridden on a pcr-domain basis. The 

such as e-mail networks 101-103, from remotely located SMTP relay module 202 advantageously allows inbound 

machines. E-mail firewalls 105 (individually shown as 105.1 and outbound SMTP connections to be limited from or to 

and 105.2) advantageously take a form as described in 50 specific hosts and allows connections to or from specific 

further detail herein to control transmission of electronic SMTP hosts to be denied. 

mail messages between an internal site and one or more piG. 3 ilhistrates the manner in which messages received 

external sites. An internal site for e-mail firewaU 105.2, by by the SMTP relay module 202 from internal site 210 and 

way of example, may take the form of e-maU network 103. external sites 212 are processed by poUcy engine 214. Policy 

External sites for e-mail firewall 105.2 are any sites not 55 engine 214 accepts messages from SMTP relay module 202 

contained in e-mail network 103. For example, external sites and determines which policies are applicable to a message 

fore-mail firewall 105.2 are any sitesio e-mail networks 101 by building a list 302 of sender policies for the sender 

and 102 as weU as any other sites coupled lo Internet 104. (source) 205 of the message, and building a list 304, 306 and 

E-mail firewall 105 is preferably positioned on the "safe- 308 of recipient poUcies for each recipient. The policy 

side" of the access fircwaU 106. FIG, 1 should be understood 50 engine 214 then calls the policy managers 216 to apply each 

as showing, by way of an example, the principles of the policy. The different types of policies have a predetermined 

embodiments described herein. The access firewalls 106 arc priority in which they are applied. For example, decryption 

shown only forpurposcsofexplanalion and are not required policies are applied before other policies, to allow the 

for operation of embodiments employing the principles of policies that operate on the body 208 of the message to be 

the present invention. 65 able to access the contents contained therein. In an altema- 

Preferably the e-mail firewall 105 takes the form of a five embodiment, the order in which the policies are applied 

program executing on a conventional general purpose com- is selectable by a system administrator. Access manager 
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policies get applied after decryption policies and then the Format manager 222 provides conversion of an e-mail 

other policy managers are called repeatedly and in the order message from a first format to a second format. In a 

implied by the policies to be applied to the message. The preferred embodiment, format manager 222 converts mes- 

policy engine 214 then receives results from policy ma nag- sages from conventional UUENCODE format to MIME 

crs 216 and transmits messages to SMTP relay module 202 5 format. Preferably format manager 222 converts messages 

in accordance with the received results. The results received prior to message processing by other policy managers, 

by the policy engine 214 comprise actions such as Security manager 226 preferably enforces a plurality of 

disposition, annotation and notification described in further e-mail encryption policies. Preferably, security manager 226 

detail herein. The result of processing of a message 204 by enforces a client security usage policy, a preserve encryption 

policy engine 214 can result in generation of a plurality of jg policy, a plain text access policy, and default action poUcies. 

additional messages, for example, for notification to the Security manager 226 also applies, on behalf of users, proxy 

sender or recipient, or to the system administrator. In a encryption and signature policies, as discussed in further 

preferred embodiment, the policy engine 214 is imple- detail in connection with FIG. S(b). 

mented as a program executed by a digital computer. Qjent security usage pohcies specify that certain users 

Policy managers 216 operate to enforce policies entered 15 should perform encryption or signature at the desktop, 

by an administrator of e-mail firewall 105. Policy managers Additional criteria can be set to indicate when this poUcy 

216 preferably comprise a pluxaliiy of modules for enforcing should be enforced. For example, an e-mail firom a compa- 

administrator configured policies directed to specific aspects ny's CEO to the company's legal counsel by the domain or 

of e-mail messages. For example, in e-mail firewall 105, full e-mail address can be specified to require encryption or 

policy manager 216 implcmcDts a plurality of manager 20 signatures to enforce attorney -client privilege and to pre- 

modules including an access manager 218, a content man- serve encryption poUcies. Moreover, client security usage 

ager 220, a format manager 222, a vims manager 224 and a policies can be used to specify that messages that are aheady 

security manager 226. Policy managers 216 are preferably in encrypted form and perhaps meet some other criteria 

developed by inputs entered by an administrator by way of should be preserved, in other words, not processed or 

configuration module 230. Configuration module 230 also 2s modified or encrypted by the e-mail firewall 105. Plain text 

operates, in response to information entered by an access policies require that the e-mail firewall 105 be 

administrator, to configure SMTP relay 202 and policy designated as a recipient on certain types of specified 

engine 214. The policy managers shown in FIG. 2 and messages. The e-mail firewall 105 is designated as a rccipi- 

described herein are merely illustrative of an exemplary ent on encrypted messages in order to apply access, content, 

embodiment. Other types of policy managers are contem- 30 virus, and other pohcies on the message. Plain text access 

plated as being within the principals described herein. policies can also be used to send a signed notification to the 

Access manager 218 provides enforcement of access sender of a message as a way of providing the sender with 

control policies such as destinations to which e-mail is the e-mail firewaU 105's public key. Default action policies 

prohibited from being sent, or sources fi-om which e-mail indicate the action to be taken on messages that are not 

cannot be received. Access manager 218 can also filter 35 encrypted and will not be encrypted by the e-mail firewall 

messages that exceed a maximum message size determined 105 and which optionally meet some other criteria. This 

by an administrator, or which contain specific words in the policy type is used to ensure that certain messages get 

subject field 207 of the message. Access manager 218 can encrypted somewhere, whether at the desktop or by the 

also filler a message by the priority of the message specified e-mail firewall 105. 

by the user. For example, high priority messages can be 40 Policies are preferably entered by an authorized admin- 
passed through immediately while low priority messages are istrator by way of configuration module 230 which prefer- 
stored in a queue, explained in further detail in connection ably takes the form of a program executing on a stored 
with FIG. 7. Access manager 218 can also filter messages by program computer. Policies can advantageously be applied 
the date and/or time of transmission of the message. For to users, either individually or by e-mail domains or other 
example, messages transmitted between certain hours of the 45 groupings. FIG. 4 shows an example of how policies are 
day or on certain days, such as weekends or holidays may be applied. Users can be organized in a hierarchical directory- 
retained or further filtered, by, for example, content manager type strucmre to facilitate grouping of users and/or domains. 
220. If a policy is apphed to a given directory then sub-directories 
Content manager 220 supports the enforcement of content corresponding to the given directory inherit such policies, 
control policies. Preferably content manager 214 supports 50 For example, in FIG. 4, policy 1 applies to sub-directory 404 
filtering by one or more of the following criteria: (a) specific and thus applies to all sub-directories, domains and users, 
words in the body 208; (b) specific words in the subject 207 such as sub-directory 412, user 408, and domain 410, 
or body 208; (c) attachment 209 (all or by name/type). corresponding to sub-directory 404, unless that poUcy is 
Content control policies, and other appropriate policies, can expHcitly overridden by another policy applied to a particu- 
also be specified to require certain material, such as for 55 lar sub-directory or to an intervening sub-directory. For 
example, certain notices or disclaimers. Virus manager 224 example, policy 3 will override, for user 1 (shown at 408), 
supports the enforcement of virus control policies by detect- policy 1 where there are conflicts between pohcy 1 and 
ing virus infected e-mail attachments. \^rus manager 224 policy 3, and will supplement pohcy 1 where there are no 
preferably detects virtises contained in a plurality of com- conflicts. Exception 1 will override policies 1 and 3 for the 
pressed file formats including PKZip, PKLite,ARJ, LZExe, so particular exception specified in exception 1. As further 
LHA, and MSCompress. Virus manager 224, by way of shown in FIG. 4, pohcy 1 applies to users 414, 416 and 418 
example, may use a commercially available virus scanning and is overridden by pohcy 2 for users 414, 416 and 418 in 
engine. Virus manager 224 also preferably applies policies the event of conflicts, and is supplemented where there are 
on "clean messages," that is, messages thai have been no conflicts. Tliis advantageously allows policies to be easily 
scanned for a virus and found to be free of any viruses. On 65 apphed to groups of users. The exact manner in which the 
such messages a "clean stamp" annotation is added to policies are stored is not critical, however, and a variety of 
indicate that no viruses were detected. means and formats of storage may be employed. 
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E-mail messages 204 received aDd/or transmitted by exchange with the other S/MIME server. In addition, e-mail 

SMTP relay 202 are preferably encoded in accordance with firewalls 105.1 and 105.2 allow: identification of the other 

the S/MIME (Secure/Multipurpose Internet Mail Extension) S/MIME server throu^ directory domain records, associa- 

protocol as specified by the Internet Engineering Task Force tion of directory domain records with server certificates and 

in documents entitled "S/MIME Message Specification" 5 selection of encryption/signature algorithms and key 

(1997) and "S/MIME Certificate Handling" (1997). lengths. The directory domain records, and the directory 

Advantageously, the S/MIME protocol builds security on tiser records referred to below, are as described in FIG, 4. 

top of the industry standard MIME protocol according to Exchange of S/MIME encoded messages may also be 

Public Key Cryptography Standards (PKCS) specified by performed between the e-mail firewalls 105.1 or 105.2 and 

RSA Data Security. Inc. S/MIME advantageously ofifers 10 *° S/MIME client coupled to a server that does not perfonn 

security services for authentication using digital certificates, S/MIME functions. FIG. 5(6) illustrates an exchange 

and privacy, using encryption. Digital certificates are pref- between e-maQ firewall 105 and a S/MIME chent coupled to 

erably implemented in accordance with the X.509 formal as ^ non-S/MIME server 506. In FIG S(b) server 105.1 

specified in "Information Technology-Open Systems encrypts and decrypts messages on behalf of chent 502 and 

Interconnection-The Directory: Authentication 15 f ^^^^"X P^^^^^ 

T> 1 » 1 1 WTTTT 'T T>^^ A .* fiTcwalls 105 .1 dfld 105.2. Spcafically, ID sucfa au cxchangc, 

Framework, also known as ITU-T Recommendation ^ n mci i * j ur i 

V ,r^rt-T\ . ■ • r i_i -r J 1- c-mail firewall 105.1 provides key pair and pubhc key 

X.509 (June 1997). Encryption is preferab y performed by generation ^d provides automated or manual 

one of the foUowmg symmetric encryption algorith ^^^^ ^ certificate exchange with the cUenl 508.1. In 

Tnple-DES. and RC2. The S/MIME protocol is weU known addition, e-maU firewaU 105.1 allows: identification of the 

and widely used and provides encryption and digital signa- 20 client 508.1 through directory user records, association of 

tures and is therefore preferable as a communications pro- directory user records with user certificates and selection of 

tocol. The precise details by which the protocol operates is encryption/signature algorithms and key lengths. Client 

not critical. Moreover, it should be understood that other 508.1 provides encryption/decryption services to allow mes- 

secure messaging protocols, such as PGP (Pretty Good sages to be transmitted securely through server 506 by 

Privacy) or Open PGP — as specified by the ITF working 25 supportingcncryption/decryptionscrvices. A specific type of 

group may also be used. object level VPN, referred to herein as "proxy security", is 

Access manager 218 is the first policy manager to process achieved in FIG. S{b) between the server 105.1 and the client 

e-mail message 204. Access manager 218 operates only on 508.1. In proxy security, at least one client is involved in 

message header information which is not encrypted. Thus, perfonning encryption/decryption, such as client 508.1 in 

access manager 218 may operate 00 an e-mail message 204 30 ^G. 5(b). This is in contrast to the arrangement of FIG. 5(fl), 

prior to decryption by S/MIME engine 215. The term where the encryption/decryption services performed by 

"message header information" generally refers to portions of servers 105.1 and 105.2 is transparent to the clients 502.1 

the message excluding the body 208 (also commonly and 502.2. 

referred to as message text) and attachments 209, Thus the In FIG. 5(a), communications between servers 105.1 and 

header information includes the source, destination and 35 1052 are secure, but communications between clients 502.1 

subject fields (205,206,207). Other fields that may be and 502.2 and their respective servers 105.1 and 105.2 are 

included in the message header include date/time stamp, not secure. In many such installations, security is not nec- 

priority and sending agent. The remainder of the modules essary. However, if such security is desired, then the clients 

operate 00 the message 204 after processing by S/MIME 508.1 and 508.2 can also be equipped with encryption/ 

engine 215. As previously noted, format manager 222 pref- 40 decryption services to perform proxy security. The servers 

erably operates on messages prior to operation by other 105.1 and 105.2 of FIG. 5(c) perform the same function 

managers such as virus manager 224, security manager 226 described above in connection with FIG. 5(a) and therefore 

and content manager 220. achieve an object level VPN. In addition, the clients 508.2 

The S/MIME protocol allows two sites which support the and 508.1 allow secure communications between corre- 

S/MIME protocol to exchange secure e-mail messages 204. 45 spending servers 105.1 and 105.2. It should be noted that the 

A type of virtual private network (VPN), as shown in FIG. encryption/decryption performed by servers 105.1 and 105.2 

5(a), can be achieved if both the transmitting and receiving can be independent of the encryption performed by the 

site perform S/MIME functions. ITie resulting VPN, termed corre^onding clients 508.2 and 508.1. For example, a 

herein an "object level c-mail VPN," provides encryption/ message by chent 508.2 to client 5081 may be encrypted 

signature and/or decryption/verification of messages so when transmitted to server 105.1, decrypted by server 105.1 

between transmitting and receiving site(s). In the object and subjected to appropriate actions by the policy managers, 

level e-mail VPN shown in FIG. 5(a), each object (message) and then encrypted for transmission to server 105.2, 

is encrypted individually and sent over a standard (SMTP) decrypted by server 105 J and subjected to appropriate 

transport medium where each object (message) is decrypted actions by the policy managers, and then encrypted for 

at the other end. Advantageously, the object level e-mail 55 transmission to client 508.1 which decrypts the message. 

VPN does not require a secure real-time connection as Alternatively, a message by client 508.2 to client 508.1 may 

required by conventional VPNs. As shown in FIG. 5(a), mail be encrypted by client 508 J, be subjected to appropriate 

servers 105.1 and 105.2 perform functions described herein actions to non-encrypted portions, such as the destination 

for e-mail firewall 105, and as a resuh, achieve an object field, and then the entire message, including the portions not 

level e-mail VPN between them. E-mail that is encrypted 60 encrypted by client 508.2, can be encrypted again by server 

and transmitted between servers 105.1 and 105 J is pro- 105.1 for transmission to server 105.2, which decrypts the 

tected from disclosure to third parties, despite the fact that encryption by server 105.1, and transmits the message to 

e-mail transmitted via the Internet 104 may pass through client 508.1 for decryption of the encryption performed by 

numerous unsecure servers before reaching its destination. chent 508 J. A combination of the foregoing two scenarios 

In such an exchange, e-mail firewalls 105.1 and 105.2 65 is also possible. 

provide key pair and pubfic key certificate generation and Each c-mail message 204 processed by e-mail firewall 

provide automated or manual public key certificate 105 is processed in accordance with the steps shown in 
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FIGS. 6(a) and 6(fc). FIG. 6(fl) is a flowchart showing 
operation of the e-mail firewall 105 in response to a received 
message. FIG. 6(b) is a flowchart showing operation of the 
e-mail firewall 105 prior to transmitting a message. The 
messages processed by c-mail firewall 105 may be received 5 
from an internal site for transmission to an internal site, or 
may be received from an internal sited for transmission to an 
external site, or may be received from an external site for 
transmission to an internal site. Any single message may 
include internal and external destinations 206. The steps 
shown in FIGS, 6(a) and 6(b) are performed by generation 
of sender and recipient policies shown in FIG. 3. For 
multiple destinations, the steps shown in FIG. 6(b) may 
therefore be performed differently and have different results 
for different destinations. j5 

T\iraing to FIG. 6(fl), at 602, the e-mail firewall 105 
determines if decryption of portions of the message 204 is 
required. If so, then at 604, decryption is performed in 
accordance with stored keys 628. After decryption, or if no 
decryption is required, then the e-mail firewall 105 applies 20 
policy managers 216, which perform four types of actions 
(shown at 610, 612, 614, 616 and 620) on e-mail message 
204. Criteria actions 610 present filtering criteria selected by 
the administrator. Exception actions 612 determine which 
criteria 610 are excluded. Multiple criteria 610 can be 25 
selected which effectively results in a logical AND operation 
of the criteria. Multiple exceptions 612 can be selected 
which effectively results in a logical OR operation of the 
exception^ that is, any one of the exception conditions being 
true will result in a policy not being triggered. Annotation 30 
actions 614 cause generation of an attachment to message 
602 or insertion of text into the body 208 of the message. 
The manner in which annotations are made is based on a 
policy entered by the administrator. Notification actions 616 
cause the sending of one or more e-mail notifications when 35 
a given policy is triggered. Notifications can be sent to 
sender, recipient, administrator, or any e-mail address that is 
defined by the administrator. In addition, notification actions 
616 allow specification of whether the original message 204 
should accompany the notification. Disposition action 620 40 
determines whether the message should continue to the 
dcstination(s) (specified by field 206) or whether one of a 
plurality of alternative actions 622 such as deferral, 
quarantine, return to sender, or dropping of the message are 
required. 45 

The steps shown in FIG. 6(b) are performed for each 
destination specified for a message 204. The steps shown in 
FIG. 6(b) are also performed for messages generated by step 
622. First, policy managers 216 perform actions 610, 612, 
614 and 616, for each destination specified in the message 50 
204. Disposition action 623, operates similarly to disposi- 
tion action 620 by determining whether the message should 
continue to the deslination(s) (specified by field 206) or 
whether one of a plurality of alternative actions 622 such as 
deferral, quarantine, return to sender, dropping of the 55 
message, or deferral are required. At step 624, a determina- 
tion is made if encryption of the message is required. If so, 
then at step 626 encryption is performed in accordance with 
stored keys 628. If not, then the message is transmitted to the 
specified destination at step 630. Messages that are pro- 60 
ccssed by block 622 are also checked at step 624 bcfort 
Uansmission. For example, messages thai are deferred, quar- 
antined or returned to the sender may need to be encrypted. 

FIG. 7 is a block diagram showing further details of 
alternative actions 622. Messages received from disposition ss 
step 620 are stored in one of the four queues 702, which 
include quarantine queue 704, retry queue 706, dead letter 



queue 708, and defer queue 709 depending upon the speci- 
fied disposition of the message. Quarantine queue 704 stores 
messages for subsequent retrieval and review by a system 
administrator or other authorized person. Retry queue 706 
stores messages for which delivery has failed. Transmission 
of messages in the retry queue 706 is subsequently 
re -attempted. Dead letter queue 708 stores messages which 
continue to be undeliverable after several retries and which 
cannot be returned to the sender. Messages in the dead letter 
queue 708 may be acted upon by a system administrator. 
Defer queue 709 stores messages to be delivered automati- 
cally at a later time, for example an off-peak -time such as a 
weekend or night time. Configuration module 230 provides 
a plurality of actions 710-714 which may be performed on 
the messages in queue 702. The messages can be viewed 710 
by the administrator, returned to the sender 711, deleted 712, 
sent to the specified destination(s) 713 and/or saved 714. 

It is to be understood that the specific mechanisms and 
techniques which have been described are merely iDuslrative 
of one application of the principals of the invention. Niuner- 
ous modifications may be made to the methods and appa- 
ratus described without departing from the true spirit and 
scope of the invention. 

What is claimed is: 

1. An e-mail control system for controlling e-mail mes- 
sages transmitted from and received by a computing site, 
comprising: 

a message encryptor for encrypting a first designated type 
of message transmitted from a user associated with said 
computing site in accordance with at least a first stored 
encryption key; 

a message decryptor for decrypting a second designated 
type of message sent to a user associated with said 
computing site in accordance with at least a second 
stored encryption key; and 

a filter for monitoring said messages, after decryption by 
said decryptor and before encryption by said encryptor, 
in accordance with changeable filter information, the 
filter comprising at least a content filter to enforce 
content control policies by reference to specific words 
in the message body, each of said messages including 
at least one recipient address, the e-mail control system 
transmitting a message to said at least one recipient 
address in response to a predetermined policy result of 
said filter. 

2. An e-mail control system as set forth in claim 1 wherein 
each of said messages comprise destination information, 
identifying at least a first destination for said message, and 
wherein said filter further comprises a destination filter for 
restricting transit of said messages which contain infonna- 
tion corresponding to changeable destination filter infonna- 
tion. 

3. An e-mail control system as set forth in claim 2 wherein 
each of said messages comprise source information, identi- 
fying at least a first source for said message, and wherein 
said filter further comprises a source filter for restricting 
transit of said messages which contain information corre- 
sponding to changeable source filter information. 

4. An e-mail control system as set forth in claim 3 further 
comprising means, responsive to said filter, for causing 
redirection of messages which contain information corre- 
sponding to said changeable filter information to a destina- 
tion which differs from at least said first destination of said 
message. 

5. An e-mail control system as set forth in claim 4 further 
comprising means, responsive to said filter, for causing 
redirection of messages which contain information corrc- 
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sponding to said changeable filter informatioD to a destina- 
tion which corresponds to at least said first destination of 
said message. 

6. An e-mail control system as set forth in claim 5 further 
comprising: 5 

aotificatioD means, responsive to said means for causing 
redirection of messages, for causing generation of a 
notification c-mail message; and 

redirection means for causing transmission of said noti- 
fication e-mail message to a destination corresponding 
to changeable notification message destination infor- 
mation. 

7. An e-mail control system as set forth in claim 6 wherein 
said notificadon message comprises a body portion and 
wherein said notification means further comprises means for 
causing generation of a message contained in said body 
portion. 

8. An c-maO firewall for restricting transmission of e-mail 
messages between a first site and a plurality of second sites 

in accordance with a plurality of administrator selectable ^ 
policies, said firewall comprising: 

a simple mail transfer protocol (SMTP) relay for causing 
said e-mail messages to be transmitted between said 
first site and selected ones of said second sites; and ^5 

a plurality of pohcy managers, responsive to said SMTP 
relay, for enforcing administrator selectable policies, 
said policies comprising at least a first source/ 
deslination policy, at least a first content policy and at 
least a first virus policy, said policies characterized by 30 
a plurality of administrator selectable criteria, a plural- 
ity of administrator selectable exceptions to said crite- 
ria and exceptions, said policy managers comprising, 
an access manager for restricting tran^^nission of e-mail 
messages between said first site and said second sites 35 
in accordance with said source/destination policy; 

a content manager for restricting transmission of e-mai] 
messages between said first site and said second sites in 
accordance with said content policy; and 

a virus manager for restriction transmission of e-mail 
messages between said first site and said second sites in 
accordance with said virus policy, each of said e-mail 
messages including at least one recipient address, the 
e-mail control system transmitting a message to said at 
least one recipient address in response to a predeter- 
mined policy result of a policy manager. 

9. An e-mail firewall as set forth in claim 8 wherein said 
policy managers further comprise a format manager, respon- 
sive to said administrator selectable policies, for converting 
said e-mail messages from a first formal to a second format. 50 

10. An e-mail firewall as set forth in claim 8 wherein said 
e-mail messages are formatted into a plurality of fields 
comprising a source field, a destination field, subject field, 
and a message field and wherein said access manager is 
responsive to said source/destination policy specified for 55 
each of said fields of said e-mail messages. 

11. An e-mail firewall as set forth in claim 10 wherein said 
e-mail messages are further characterized by a size field and 
wherein said access manager is responsive to said source/ 
destination policy specified for said size field. 



12. An e-mail firewall as set forth in claim 10 wherein said 
e-mail messages are further characterized by a date and time 
field and wherein said access manager is responsive to said 
source/destination policy specified for said date and time 
field. 

13. An e-mail firewall as set forth in claim 8 wherein said 
virus manager is responsive to e-maiJ messages containing 
compressed information for detecting viruses contained in 
said compressed information. 

14. An e-mail firewall as set forth in claim 10 wherein said 
content manager is responsive, in accordance with said 
content policy, to information contained in said subject field 
and in said message field. 

15. An e-mail firewall as set forth in claim 14 wherein said 
e-mail message fiirther comprises an attachment field and 
wherein said content manager is responsive, in accordance 
with said content policy, to an attachment designated in said 
attachment field. 

16. A method for restricting receipt of e-mail messages, in 
accordance with a plurality of changeable policies, to a first 
site from a plurahty of second sites, the method comprising 
the steps of: 

intercepting a first e-mail message transmitted to a user 
associated with said first site from at least one user 
associated with one of said second sites; 

determining if said message is encrypted and decrypting 
said message in accordance with a stored key, if said 
message is encrypted; and 

filtering said message in accordance with at least one 
stored content policy, said messages including at least 
one internal site recipient address, the e-mail control 
system transmitting the message to said at least one 
internal site recipient address in response to a prede- 
termined poUcy result of said filtering. 

17. A method for restricting transmission of e-mail 
messages, in accordance with a plurality of changeable 
policies, from a first site to a plurality of second sites, the 
method comprising the steps of: 

intercepting an e-mail message irananitied to at least one 
user associated with one of said second sites from a 
user associated with said first site; 

filtering said e-mail message in accordance with a plu- 
rality of stored policies, including at least one content 
policy to enforce content control policies by reference 
to specific words in the message body; 

responding to a first of said stored policies by encrypting 
said e-mail message in accordance with a stored key; 
and 

transmitting said e-mail message to at least one user 
associated with one of said second sites. 

18. A method as set forth in claim 16, wherein said 
filtering of said message comprises ensuring that an execut- 
able attachment is digitally signed. 

19. A method as set forth in claim 18, wherein said digital 
signature certificate is an X.509 certificate. 
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